MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f41bd199f9dced09ce6af8dd974a67322ef3d26722a2d719bec4f2e595cbcf0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f41bd199f9dced09ce6af8dd974a67322ef3d26722a2d719bec4f2e595cbcf0
SHA3-384 hash: 23ea28dfec6d9105045dca508ff74fb7955328a5dc2e5e5f82e667e07d08f76666b477ff845e6bdb7489859da4b9857e
SHA1 hash: 6823cb3f7c8e2b62222805e5af0efae33cf2eaef
MD5 hash: 1835b641b0e0009bda11d7e4f29c8431
humanhash: winner-cardinal-spring-hotel
File name:file
Download: download sample
Signature GCleaner
Create hunting rule
File size:2'158'354 bytes
First seen:2023-05-29 14:27:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e92b45c54aa05ec107d5ef90662e6b33 (363 x GCleaner, 38 x Socks5Systemz, 3 x Backdoor.TeamViewer)
ssdeep 49152:WijJycPs8aEooAu9TM9r853Vga4GIrEVEus8wuw:WijJy055x53Vj4GXq59
Threatray 3'794 similar samples on MalwareBazaar
TLSH T1D3A53335B1498A3EE793CBB34E258A860D3A713185F54D9C310D6DE30B3A663B5A7327
TrID 82.8% (.EXE) Inno Setup installer (109740/4/30)
10.7% (.EXE) Win32 Executable Delphi generic (14182/79/4)
3.4% (.EXE) Win32 Executable (generic) (4505/5/1)
1.5% (.EXE) Generic Win/DOS Executable (2002/3)
1.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter andretavare5
Tags:exe gcleaner


Avatar
andretavare5
Sample downloaded from http://45.12.253.74/pineapple.php?pub=mixinte

Intelligence

File Origin
# of uploads :
1
# of downloads :
264
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-05-29 14:29:21 UTC
Tags:
installer gcleaner
Link:
https://app.any.run/tasks/e9de0de9-6e99-49fb-bfe5-6dd1a8c9ab3b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/393104/
Detection(s):
PUA.Win.Packer.Overlay-1
Create hunting rule

SecuriteInfo.com.Downloader.Generic7.ITV.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for the window
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Modifying a system file
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a file in the Windows subdirectories
Launching a process
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/88524/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware installer lolbin overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6474b673f5cd8a92a32f0a13/reports/e1e69d9d-2d05-4e1d-bb33-fd17f0f9c7e5/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/0f41bd199f9dced09ce6af8dd974a67322ef3d26722a2d719bec4f2e595cbcf0
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fab6aef8-dea3-4789-a98e-9630c7f2b51a
Result
Threat name:
MinerDownloader, Nymaim, RedLine, Vidar,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1244508
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic MinerDownloader
Yara detected Nymaim
Yara detected RedLine Stealer
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 877514 Sample: file.exe Startdate: 29/05/2023 Architecture: WINDOWS Score: 100 120 45.12.253.98 CMCSUS Germany 2->120 122 pastebin.com 2->122 174 Snort IDS alert for network traffic 2->174 176 Found malware configuration 2->176 178 Malicious sample detected (through community Yara rule) 2->178 180 19 other signatures 2->180 15 file.exe 2 2->15         started        18 cmd.exe 2->18         started        signatures3 process4 file5 112 C:\Users\user\AppData\Local\...\is-T04KA.tmp, PE32 15->112 dropped 20 is-T04KA.tmp 10 23 15->20         started        23 conhost.exe 18->23         started        25 chcp.com 18->25         started        process6 file7 88 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->88 dropped 90 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 20->90 dropped 92 C:\...\unins000.exe (copy), PE32 20->92 dropped 94 5 other files (4 malicious) 20->94 dropped 27 Rec529.exe 29 20->27         started        process8 dnsIp9 138 45.12.253.56, 49692, 80 CMCSUS Germany 27->138 140 45.12.253.72, 49693, 80 CMCSUS Germany 27->140 142 45.12.253.75, 49694, 49696, 80 CMCSUS Germany 27->142 104 C:\Users\user\AppData\...behaviorgraph12PR0jVyrZNe.exe, PE32 27->104 dropped 106 C:\Users\user\AppData\...\Pwid21KROp.exe, PE32 27->106 dropped 108 C:\Users\user\AppData\...\ZLWrPvR6Sd.exe, PE32 27->108 dropped 110 4 other malicious files 27->110 dropped 31 Pwid21KROp.exe 11 27->31         started        35 ZLWrPvR6Sd.exe 5 27->35         started        38 stWp.exe 27->38         started        40 2 other processes 27->40 file10 process11 dnsIp12 114 C:\Users\user\AppData\...\mcz0xwxdy3l.exe, PE32 31->114 dropped 116 C:\Users\user\AppData\...\epo2fxguyfxq.exe, PE32 31->116 dropped 144 Multi AV Scanner detection for dropped file 31->144 42 cmd.exe 1 31->42         started        124 185.81.68.115, 2920, 49695 KLNOPT-ASFI Finland 35->124 146 Detected unpacking (changes PE section rights) 35->146 148 Detected unpacking (overwrites its own PE header) 35->148 150 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 35->150 152 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 35->152 126 t.me 149.154.167.99, 443, 49697 TELEGRAMRU United Kingdom 38->126 128 5.75.209.76, 3306, 49698 HETZNER-ASDE Germany 38->128 130 2 other IPs or domains 38->130 154 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 38->154 156 Tries to harvest and steal browser information (history, passwords, etc) 38->156 158 Tries to steal Crypto Currency Wallets 38->158 45 conhost.exe 40->45         started        47 taskkill.exe 40->47         started        file13 signatures14 process15 signatures16 182 Encrypted powershell cmdline option found 42->182 184 Uses schtasks.exe or at.exe to add and modify task schedules 42->184 49 epo2fxguyfxq.exe 42->49         started        52 mcz0xwxdy3l.exe 42->52         started        54 cmd.exe 1 42->54         started        56 conhost.exe 42->56         started        process17 signatures18 160 Antivirus detection for dropped file 49->160 162 Multi AV Scanner detection for dropped file 49->162 164 Machine Learning detection for dropped file 49->164 166 Sample uses process hollowing technique 49->166 58 RegSvcs.exe 49->58         started        61 RegSvcs.exe 49->61         started        63 RegSvcs.exe 49->63         started        70 3 other processes 49->70 168 Writes to foreign memory regions 52->168 170 Allocates memory in foreign processes 52->170 172 Injects a PE file into a foreign processes 52->172 65 RegSvcs.exe 52->65         started        68 WerFault.exe 52->68         started        process19 dnsIp20 186 Writes to foreign memory regions 58->186 188 Injects a PE file into a foreign processes 58->188 72 AppLaunch.exe 58->72         started        77 conhost.exe 58->77         started        118 95.217.63.153, 21969, 49719 HETZNER-ASDE Germany 65->118 190 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 65->190 192 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 65->192 194 Tries to harvest and steal browser information (history, passwords, etc) 65->194 196 Tries to steal Crypto Currency Wallets 65->196 signatures21 process22 dnsIp23 132 github.com 140.82.121.4, 443, 49713, 49714 GITHUBUS United States 72->132 134 raw.githubusercontent.com 185.199.108.133, 443, 49715, 49717 FASTLYUS Netherlands 72->134 136 pastebin.com 104.20.68.143, 443, 49712, 49720 CLOUDFLARENETUS United States 72->136 96 C:\ProgramData\Dllhost\winlogson.exe, PE32+ 72->96 dropped 98 C:\ProgramData\Dllhost\dllhost.exe, PE32 72->98 dropped 100 C:\ProgramData\Dllhost\WinRing0x64.sys, PE32+ 72->100 dropped 102 C:\ProgramData\HostData\logs.uce, ASCII 72->102 dropped 198 Sample is not signed and drops a device driver 72->198 79 cmd.exe 72->79         started        82 cmd.exe 72->82         started        84 cmd.exe 72->84         started        file24 signatures25 process26 signatures27 200 Encrypted powershell cmdline option found 79->200 86 conhost.exe 79->86         started        process28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0f41bd199f9dced09ce6af8dd974a67322ef3d26722a2d719bec4f2e595cbcf0/
Threat name:
Win32.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2023-05-29 14:28:05 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b5a32gm7txhnbhhgv6g5s5fgomro6pjgoivc24m35rhs4wk4xtya._file
Verdict:
unknown
Similar samples:
1e318a523cb5a76b7ca21cface9d2c638c1eb615ac4ed06f5eaca67ff0bba9a9
GCleaner
2c735da73853ebc6bc1729c0d2ddabc4ac2d77dd6c88ec169bce9c141a4072a4
GCleaner
8db1731a7a729345d0185861d3909e68d431f57cfa4c7357eebedf7eeb39abcd
GCleaner
9bba213d8c710d947cbd8c68897d870e7d92772f0e030cdde4d606ee54851e5a
GCleaner
aad5ad5b787b03acd7dd5e24e375947b0754161b5eef5cbcdceb36ec1c9acb28
GCleaner
c07572117f9dda3d61518694a205940da38d6d0baef87df01deacdefefe6fd81
GCleaner
c400067603c132c7d6ec11750ca9c6fe9ddb9b1c96831cda54bf50bfa7b01df2
GCleaner
ddb5ba02620ff537ab1fa4de5db434bd155fa3cc288d1a7e5c15422b493fdc81
GCleaner
e262e47a76916a2f919373cd4ba175953e9a81687ea27e03c4d5e998b65ee9b4
GCleaner
e5447818976ad7af2ae55ccee4baab64d2a76ce8bcd43654ca8361dc19c91ad4
GCleaner
+ 3'784 additional samples on MalwareBazaar
Result
Malware family:
gcleaner
Create hunting rule
Score:
  10/10
Tags:
family:gcleaner discovery loader
Link:
https://tria.ge/reports/230529-rszrbscf8t/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
GCleaner
Malware Config
C2 Extraction:
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Unpacked files
SH256 hash:
f8227e1389403a5da022cbde52b61e7ed62ab7d8166cf41a040ca25a757a4c79
MD5 hash:
284b941af9d4bbe317c51bc700eb08e8
SHA1 hash:
febe2b67dfa836b2f070a591043a15950c39c72c
Detections:
Nymaim
Create hunting rule
win_nymaim_g0
Create hunting rule
win_gcleaner_auto
Create hunting rule
Link:
https://www.unpac.me/results/82b3dd0f-f60f-4d8d-95ca-ad86e33cb79a/
SH256 hash:
c2471af0675cc4978ed44eff76863dd64d398609e812b0622aa8278d5ebd667f
MD5 hash:
dbb4daee1f7b1acf899819620ba2ecdc
SHA1 hash:
8256beeef2f6a71a13ecaa3e60b71abedcd9e055
Link:
https://www.unpac.me/results/82b3dd0f-f60f-4d8d-95ca-ad86e33cb79a/
SH256 hash:
753083de10b230da03c6e2bc4865bbefb9a9c94d8946699d3a6d903048f0ba94
MD5 hash:
fc245721f161c38115ecec21ef18971b
SHA1 hash:
0d7652a91c74b7861948293dfd80f1d7831a73fb
Link:
https://www.unpac.me/results/82b3dd0f-f60f-4d8d-95ca-ad86e33cb79a/
SH256 hash:
0f41bd199f9dced09ce6af8dd974a67322ef3d26722a2d719bec4f2e595cbcf0
MD5 hash:
1835b641b0e0009bda11d7e4f29c8431
SHA1 hash:
6823cb3f7c8e2b62222805e5af0efae33cf2eaef
Link:
https://www.unpac.me/results/82b3dd0f-f60f-4d8d-95ca-ad86e33cb79a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0f41bd199f9dced09ce6af8dd974a67322ef3d26722a2d719bec4f2e595cbcf0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:win_gcleaner_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.gcleaner.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2509470/
Cape
Cape
https://www.capesandbox.com/analysis/393104/

Comments